Specifying the direction in which the traffic should be filtered
You should be aware that for every interface, you may apply an IP type ACL so it filters traffic coming into the router and a different ACL that filters traffic leaving the router through the interface. So, you may well have a lot of different ACLs applied to various interfaces on your router.
Applying ACLs
Now
it is time to consider how to apply an ACL to a router.
The first thing to decide is whether the traffic that we are filtering is going in or out of the router. In other words, where the traffic is coming from (source) and where the traffic is going (destination.)
Users on a network trying to access websites on the Internet is a good example of traffic going OUT, whereas downloading files from the Internet is a good example of traffic coming IN to the network.
Configuring ACLs on an Interface - In or Out
Applying ACLs to a router means deciding which interface you want the router to filter traffic on and then applying the ACL to that interface. For example, part of the command for applying an ACL numbered 10 to a serial interface is...
Router(config)#int s0
Router(config_if)#ip access-group 10
This means the router will filter traffic on the serial port using the ACL numbered 10. The ip access-group 10 command tells your router to apply the ACL numbered 10 to the serial interface and filter traffic on that port, using the rules you defined in the list.
The missing part of the command above is the direction part. You must also tell the router in which direction to filter the traffic. Consider the command...
Router(config_if)#ip access-group 10 in
This means, filter traffic coming IN to the router through the serial port.
Whereas, this command...
Router(config_if)#ip access-group 10 out
...means, filter traffic going OUT of the router through the serial port.
Deciding on which interface to apply an ACL and the direction can be one of the most confusing parts of applying ACLs. This is mostly because a router usually comes with one or more serial interfaces and one or more Ethernet interfaces.
When deciding on the direction in which you want to filter traffic it is helpful to consider things...
-->> from the routers point of view
Consider a router with two interfaces, a serial port and an Ethernet port. Traffic passing through a router from the serial port to the Ethernet port must enter IN through the serial port and then OUT through the Ethernet port.
And vice versa...
One thing must be made absolutely clear, the term IN means into the ROUTER, not into an interface. The term OUT means out of the ROUTER and not out of the interface.
Now, to finish off this section, let's suppose, you wanted to apply an ACL to stop certain Internet traffic from reaching your LAN through a serial interface. You could apply your ACL to the serial interface, which is the first port the traffic reaches from outside, and stop the traffic from entering IN to the router through the interface. However, you could equally well apply the ACL to the Ethernet port and stop the same traffic from exiting OUT of the router through that interface.
Also, what if you have more than one router on your network, which network do you apply the ACL's to? We will discuss that in the next section.
~~Activity~~
Activity A
Now, to test yourself on correctly applying ACLs to an interface, answer these questions.
You wish to apply an ACL to the Ethernet interface of a router to prevent FTP traffic from reaching the LAN. In which direction would you apply the ACL? Ans
You wish to apply an ACL to the Serial interface of a router to permit web access to the Internet. In which direction would you apply the ACL? Ans
You wish to apply an ACL to the Serial interface of a router to permit emails from the Internet into the network. In which direction would you apply the ACL? Ans
Access Control List Placement - Which Router?
There is one final point to consider when applying ACLs. Look the network below, It has more than router on which an ACL could be placed. So how do we decide which router is the best one for the task?
Suppose we want to block the RTA LAN from accessing the RTB LAN. Well, the ACL might look like similar to this...
access-list 10 deny 192.168.100.0 0.0.0.255
But which router and which interface should the ACL be applied to?
We could apply the ACL to RTA's serial interface and stop traffic destined for the RTB LAN ever leaving the router. There, all sorted; the unwanted traffic will be filtered out.
But, wait a minute, we have more choices. We could also apply the ACL to...
RTA'sE0 interface in
RTB''sS0 interface in
RTB'sE0 interface out
All of these would work. So which is the best choice?
To save us time worrying about these decisions, someone with a lot of time on their hands,decided that it is best to follow the recommendation listed below when deciding on which particular router to place and ACL.
Standard ACLs - Place as close to destination as possible.
Extended ACLs - Place as close to source of traffic as possible.
So, for our problem above, since it is a standard ACL, it seems it is best to apply it to RTA's Ethernet interface, since this interface is closest to the traffic's destination point.
To help you understand why standard ACLs should be applied as near to the destination as possible but extended are applied as near to the source as possible, consider the following analogy.
Think of an ACL as a bouncer outside a club with a list of rules!
Suppose you have a "standard" bouncer and your home is included in the list stating that you cannot enter the club. Then they put him outside your front door - he can only ask you one question - Where are you from (source)? You will never be allowed to leave your home!!
Suppose now he was an "extended" bouncer. Then he could ask you - Where are you going (destination)? As long as it was not the club you would be allowed out. If it was the club then he might as well block you straigh away, as close to your home (source) as possible!!
Now, just to finish off, here are some additional rules you should also keep in mind when decision making.
Only one ACL per port per direction is allowed.
If a packet does not match the ACL statement then it will be implicitly denied.
Once a packet matches an ACL statement no further statements are checked. In other words, the first matching statement wins.
Well, that is all there is to it. Perhaps ACLs will give you a headache at first or perhaps you will find them challenging, but whichever is true for you, with practice you will soon be blocking or permitting network traffic like a professional.
~~Activity~~
Activity B
Now try these questions on ACL placement.
You want to deny the RTC LAN access to the RTB LAN using a standard ACL. On which router and which interface would you apply the ACL? Ans
You want to deny the RTC LAN access to the RTA LAN using an extended ACL. On which router and which interface would you apply the ACL? Ans
The ACL shown below is for allowing the RTB LAN to access a web server on RTA. On which router and which interface would you apply the ACL? Ans
access-list 101 permit tcp 192.168.200.0 0.0.0.255 any eq 80
Summary
On completing these notes you should be understand the following points:-
Standard ACLs should be placed as close to destination as possible.
Extended ACLs should be placed as close to source of traffic as possible.
Chapter 11
